Infection Size

Contents

When Devil is loaded into memory, every DOS executable in current directory are infected by instant, including COMMAND.COM, by adding 1,882 bytes (2 copies of the infection code) to every file, and then it hooks INT 9 and 21h, infects every program that are run. The virus would always be loaded after booting.

The infection size varies on different files.

The virus behaves differently on infecting the executable, it does not check whether a COM file has been infected but it does on EXE, so that the virus does not re-infect EXE files.

When an infected DOS executable is run, the virus infects it by inserting the first 1,630 bytes of it code to the beginning of the file, and then the other 1,888 bytes placed at the end of the file. In other words, the virus adds 3,518 bytes on further infections.

When the user issues CTRL-ALT-DEL, the virus displays the following message with grey background:

Have you ever danced with the devil under the weak light of the moon?
Pray for your disk!
The_Joker...
Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha

If the count of key presses is less than 5,000 by the time CTRL-ALT-DEL are pressed, this payload screen would just appear in a flash and then the computer may reboot as usual, otherwise the system would halt on this screen.